000030537 - Get the external Identity Source LDAPS certificate using openssl for Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030537
Applies ToRSA Product Set: SecurID
RSA Product/ Service Type: Authentication Manager
RSA Version/Condition: 8.1
Issue
  • Configuring an identity source to use LDAPS requires access to the Directory server itself  to export the certificate, which may not be available.
  • Getting the error message "Test failed. Unable to establish a connection to the directory" when trying to do a Test Connection on an existing or new identity source that uses LDAPS.
  • In case of changed or renewed LDAPS directory server certificates, you need to update the Identity Source Certificates to add the new certificate without accessing the directory server itself.
TasksUse the openssl command line tool on the Authentication Manager 8.1 servers to connect to the LDAPS port used by the directory server and get the currently used LDAPS certificate.
Resolution

  1. Login to the Authentication Manager server using any SSH client (e.g. PuTTy), then type the following command


    openssl s_client -connect <ldaps_server_fqdn or ip_address>:<ldaps_port>


    In the example below, If the external Identity Source server FQDN is 2k8r2-dc1.2k8r2-vcloud.local and the LDAPS port is 636. See the example below for the output:


    rsaadmin@am81p:~> openssl s_client -connect 2k8r2-dc1.2k8r2-vcloud.local:636
    CONNECTED(00000003)
    depth=0 /CN=2k8r2-dc1.2k8r2-vcloud.local
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /CN=2k8r2-dc1.2k8r2-vcloud.local
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /CN=2k8r2-dc1.2k8r2-vcloud.local
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
    0 s:/CN=2k8r2-dc1.2k8r2-vcloud.local
       i:/DC=local/DC=2k8r2-vcloud/CN=2k8r2-vcloud-2K8R2-DC1-CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGJjCCBQ6gAwIBAgIKEsuj6gAAAAAABDANBgkqhkiG9w0BAQUFADBZMRUwEwYK
    CZImiZPyLGQBGRYFbG9jYWwxHDAaBgoJkiaJk/IsZAEZFgwyazhyMi12Y2xvdWQx
    IjAgBgNVBAMTGTJrOHIyLXZjbG91ZC0ySzhSMi1EQzEtQ0EwHhcNMTQwOTExMDEy
    ODQ5WhcNMTUwOTExMDEyODQ5WjAnMSUwIwYDVQQDExwyazhyMi1kYzEuMms4cjIt
    dmNsb3VkLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArEKb
    npC+gUgqm7G0CRDLJ1n1tG4J4eEfuzr9IHxvGMCnGC45HmhVdpGoiXTI3Wbjpccf
    pE5fjEzTtgeVhvWokPLQk0XNjL3PflTaXPPlTKVQyVYLknODOsuA7arFUmVc1q/U
    jx4zbF60jTJwRu7LHKbpsSJVEjsxw8pG+1tZXkMVUyIBuvUZtbXZd5jydHhp7HIj
    pLjyPOhNH4Iv2txCdT+2TM+IBRfWTLwhRE23AGApbgpQFAoMthqPCrNfCwXU+rPw
    WY9FgO0KQrTlWtBhKRKh3oQ3nca16nZ7cO/mF+/zzWtZEHvPocWtv6bxuXnV7xob
    13Vl0JtaLYZLIj1W5QIDAQABo4IDIDCCAxwwLwYJKwYBBAGCNxQCBCIeIABEAG8A
    bQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMC
    BggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggq
    hkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgB
    ZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG
    9w0DBzAdBgNVHQ4EFgQUy9sE6v+XKSINiffZkzTDyjsV/OEwHwYDVR0jBBgwFoAU
    30PS6dNgHEGMrmSGD6iMf35LLagwgeAGA1UdHwSB2DCB1TCB0qCBz6CBzIaByWxk
    YXA6Ly8vQ049Mms4cjItdmNsb3VkLTJLOFIyLURDMS1DQSxDTj0yazhyMi1kYzEs
    Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
    PUNvbmZpZ3VyYXRpb24sREM9Mms4cjItdmNsb3VkLERDPWxvY2FsP2NlcnRpZmlj
    YXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRp
    b25Qb2ludDCB0gYIKwYBBQUHAQEEgcUwgcIwgb8GCCsGAQUFBzAChoGybGRhcDov
    Ly9DTj0yazhyMi12Y2xvdWQtMks4UjItREMxLUNBLENOPUFJQSxDTj1QdWJsaWMl
    MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
    PTJrOHIyLXZjbG91ZCxEQz1sb2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0
    Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBIBgNVHREEQTA/oB8GCSsGAQQB
    gjcZAaASBBAhwKX+NTxET48lQ/oXB0hHghwyazhyMi1kYzEuMms4cjItdmNsb3Vk
    LmxvY2FsMA0GCSqGSIb3DQEBBQUAA4IBAQCnX7nJC7NMSjSWedhJuE88UfCXMGMP
    b9gU0YQZvGcNqcOkUpRcYLYjc4lapSTSno+hu1pQwQ+iZKxaFz9vDga6RC4TGUS2
    T7KlCEl86DeiFjZrr+lvAvMwX9dwejHsm1O77xQV/KWlwRRQgGZksypSyoYdAKM8
    ePmqjjU77+12tm5dK7Pp76LuHwh9Rg+UxliizrfKttZ0DNMnEMfDMu5sRbcr3C5N
    0gWO0qlE7GCknP4Ai/QcqYVAwSjYwN4Bsdl5KUE9TrIHj0QEH19qMEVDFa7c0Wl5
    BA1q3CeU+V4DtWR922nRZzmkybQo5bJrrKN39NwiCA/dE9LbM4OMxGRK
    -----END CERTIFICATE-----
    subject=/CN=2k8r2-dc1.2k8r2-vcloud.local
    issuer=/DC=local/DC=2k8r2-vcloud/CN=2k8r2-vcloud-2K8R2-DC1-CA
    ---
    Acceptable client certificate CA names
    /DC=local/DC=2k8r2-vcloud/CN=2k8r2-vcloud-2K8R2-DC1-CA
    /CN=2k8r2-dc1.2k8r2-vcloud.local
    /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
    /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2011
    /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
    /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
    /CN=NT AUTHORITY
    ---
    SSL handshake has read 2836 bytes and written 477 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES128-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : AES128-SHA
        Session-ID: BB08000096E8F94C2D986E6920D5BA2DA75DFA6C62D7F57C8C455F4121012EA9
        Session-ID-ctx:
        Master-Key: F10A0F66C04CA3DC62FB777BA60ABD7A77EE25116D30E1E29A2FA708F2558FF080131FC4B5FFC96...
        Key-Arg   : None
        Start Time: 1434324010
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)
    ---



  2. Highlight and copy the output starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----, ensuring that those lines are copied as well. The information copied should look like the example below:
    User-added image



  3. Paste the text into a text editor such as Notepad.
    User-added image



  4. Choose File > Save As.



  5. Click the drop-down for Save as type and select the All Files (*.*) option.



  6. Save the file with a .cer extension (e.g. ldaps_cert.cer).
    User-added image



  7. Login to the Primary server Operations Console to import the saved .cer file.



  8. Select Deployment Configuration > Identity Sources > Identity Source Certificates > Add New



  9. Give the certificate any name, then click Choose File and browse to the .cer file created in the previous step.



  10. Click Save.


Notes
  • This solution does not compromise any private information from the directory server.
  • This solution only outputs the current public certificate used by the directory server for LDAPS connections without needing to login to the directory server and export it from there.

Attachments

    Outcomes